Permiso Security has launched its Risk Score Engine, a new capability that gives security teams a continuous view of identity risk across enterprise environments. The model uses Permiso’s Universal Identity Graph to score human, machine, and AI identities. That includes users, service accounts, API keys, OAuth tokens, IAM roles, and AI agents. The goal is to help teams understand which identities are creating the most risk, what activity needs attention now, and how identity risk is changing over time.
Is it just another risk score?
Security teams already have plenty of dashboards and alerts. A risk score only helps if it explains what changed, why it matters, and what action should come next.Garrett Stephens, senior product marketing manager at Permiso, said many identity scores fail because they are based on static information or only appear after suspicious activity has already triggered an alert.
“Most scores fail because they're built on static data. An identity gets labeled high risk based on its privilege level on day one, and that label never changes. Or the opposite happens, and an identity only becomes "risky" after an alert fires, which is too late. Either way, the analyst is handed a number with no context and has to do the interpretation themselves. That's how you end up with one more dashboard nobody trusts."Permiso's Risk Score is different because "it gives the pulse of identity risk across your entire environment, and also does the interpretation work. Every identity is scored across three dimensions: Behavior, is this identity doing something unusual; Likelihood, is it likely compromised; and Impact, how much damage could it do. Two identities can have the same overall score but completely different risk profiles, and the engine gives them different response recommendations. The score arrives with the evidence behind it and what to do next, so it drives action instead of demanding attention.”Permiso scores identities on a 0-to-100 scale across three dimensions: behavior, likelihood, and impact. Behavior looks at whether an identity is doing something unusual. Likelihood looks at whether that identity may be compromised. Impact looks at how much damage the identity could cause if abused.The engine produces three types of scores. Identity Risk Scores help security teams see which identities carry the most risk. Session Scores help SOC analysts prioritize active sessions. Organization Risk Scores roll identity risk into a broader metric that CISOs and security leaders can track and report over time.
How the scoring works
The Risk Score Engine combines static posture data with runtime behavior. Static inputs include privilege levels, credential hygiene, and entitlement scope. Runtime inputs include active anomalies, threat intelligence matches and authentication context.Permiso also added score velocity detection, which looks at how quickly a score changes. That can help surface compromise patterns that move quickly, especially when identity behavior changes over minutes instead of days.Session-level scoring is aimed at SOC teams. It scores active sessions across suspicion and impact, so analysts can focus on what is happening right now rather than relying only on an identity’s historical profile.
AI agents create a new identity problem
AI agents are becoming part of the identity attack surface because they often authenticate through service accounts, API keys, and OAuth tokens. That can make them difficult to find and govern, especially when tools treat those credentials as separate, unrelated identities.Stephens said Permiso starts by discovering agents and connecting them to the identities they use.“It starts with discovery. Our AI capabilities let us find agents in an environment along with their associated identities, which is harder than it sounds because agents authenticate through service accounts, API keys, and OAuth tokens that traditional tools treat as unrelated. From there, we baseline behavior, follow activity across auth boundaries, and use our Universal Identity Graph to reconstruct the access path an agent took as a chronological session of activity.Agents get scored on the same dimensions as every other identity, but the signals underneath are different. The biggest one is scope drift: an agent is deployed to do a specific job, so when it starts touching systems or data that the job has never required, that deviation means far more than it would for a human user. We also watch how the agent's credentials are used, because an agent's key showing up from unexpected infrastructure usually means the agent isn't the one using it anymore. And we look for signs the agent is being manipulated into acting outside its instructions, a failure mode that doesn't exist for human identities.Finally, blast radius. Agents chain access, so an agent with modest permissions that can invoke services with broader permissions has a much bigger effective reach than its own entitlements suggest.”That is where identity scoring can become more useful than a simple privilege label. An AI agent may not look dangerous based only on its own permissions. But if it can trigger other systems or services with broader access, its real reach may be much larger.
Where MSSPs could use it
For MSSPs, the use case splits into two areas: SOC triage and customer reporting.In the SOC, session scoring can help analysts decide which identity activity needs attention first. That matters when a provider is monitoring many customer environments and cannot afford to chase every signal with the same urgency.Stephens said the organization-level score could also help MSSPs show customers how identity risk is changing over time.“Both, and they serve two different halves of the MSSP business. In the SOC, think of it as high-fidelity identity signals that drive action. Session Scores tell analysts which activity needs investigation right now, scored on both suspicion and impact, so an MSSP running triage across dozens of customer environments can work the handful of sessions that matter instead of drowning in everything else.The Organization Risk Score serves the other half, which is proving value. It rolls identity risk across every environment into a single quantifiable metric, tracked over time and benchmarked against peers. For MSSPs, that's a number that moves. A monthly report that shows a customer how their identity risk has dropped, the factors that drove it, and where they stand against industry peers is a board-ready conversation. It helps leadership understand and quantify their organization's identity risk and see what's being done to reduce it, and it turns the MSSP's work from a list of closed tickets into measurable improvement in posture.”
Suparna is the Senior Managing Editor for CyberRisk Alliance’s Channel Brands, including MSSP Alert and ChannelE2E. She manages content development, sharpens editorial workflows, and ensures storytelling is tightly aligned with audience needs. With a background in technology, media, and education, she combines strategic insight with creative execution.